Building Trust in the Cloud: Managing the Risk

The general conclusion is that there are many perceptions as to what a cloud is and what cloud services are. All are in agreement, however, that Cloud here to stay. Cloud adoption is gaining traction and although challenges still exist, depending on the vertical industry, adopting cloud services can provide significant value.

• Regulatory Constraints – depending on the vertical industry, organizations may be precluded from placing certain types of data in the cloud.

• Transparency – organizations have concerns regarding what the cloud providers can provide in terms of compliance reporting, or relating to a breach.

• Service Level Agreements – service level agreements are still in a state of evolution, with breach notification, exit capability and assurance that data is not commingled with another organization’s data.

• Audit Capability – Security organizations are challenged in auditing the cloud provider and gauging their level of security. While ISACA and the Cloud Security Alliance have models for reviewing a cloud provider’s security model, the framework for assessing the security of cloud providers is still evolving.

• Compliance - regulatory bodies have been slow to publish a type of guidance or regulatory framework that applies to cloud providers. Regulatory agencies are lagging behind as it relates to what is actually expected if you enter into agreement with a cloud provider.

• Location of data – it’s generally understood that you can control where the data goes. Also, security executives express concerns that in exiting an agreement with a cloud provider, is the data fully removed.

• Security in the Cloud – can a cloud provider do security better? The answer is it depends. Depending on the organization’s size and maturity, it may make sense to go to a cloud provider for security.